朱子纯 / test2

- scripts/run-backend.sh: source .env.local + start Spring Boot
- scripts/seed-dev.sh: load sql/seed/dev-seed.sql into local DB
- sql/seed/dev-seed.sql: dev-only seed (admin / 666666 login)

Seed data path is local-dev only; not run by Flyway, not part of
the test gate. Operator runs after setup-test-db + first Spring
Boot start (so V1 schema exists).

Initial frontend setup: Vite + React 19 + TypeScript, ESLint,
Redux store (auth, tabs), React Router with RequireAuth guard,
AppShell layout, TopBar/NavOverlay components, plus first-pass
pages (Login, Dashboard, UserList, UserDetail) and API layer
(request/types/usr) wired to the user backend module.

Establishes the frontend foundation so future module loops can
add their own pages under frontend/src/pages/<module>/ per
docs/08 path convention.

Step 4/6 (npm test) blew up with 'Missing script: test' on a fresh
frontend that hasn't wired up a test runner yet. Guard with a
node-based check on package.json#scripts.test so the gate skips
gracefully (with a log line) instead of failing.

Lint/build still always run when frontend is tracked — only the
test step is conditional on having a runner configured.

Untracked WIP directories (e.g. unfinished frontend/) were triggering
HAS_FRONTEND=1 via bare `[ -d frontend ]`, causing the pre-push gate
to lint/build code that isn't part of the push. Require non-empty
`git ls-files -- <dir>` so detection follows tracked content, matching
the CLAUDE.md rule that the gate covers current module + completed
modules only.

- CRITICAL：JwtTokenProviderTest 测试 SECRET 改为与生产无关的 fake hex。
  注意 .env.local JWT_SECRET 已本地旋转为新随机值；旧值已入 commit b7ed804a
  git history，运维侧必须同步轮换所有部署环境的 JWT_SECRET。
- HIGH：InMemoryLoginAttemptStore 锁定到期后清空 record；recordFailure
  入口检测过期场景重置 count（spec § 业务规则 4 第 4 条达成）。
- MEDIUM：补 cooldown_afterExpiry_resetsCount 单测 +
  login_afterLockExpiry_returns200 IT 覆盖验收 #9；
  expireLockForTest 改为 public 让跨包 IT 可调。

- HIGH 修注入：UserQueryDTO 移除 column 字段，
  改成 service 局部变量 + UserMapper @Param("column") 单独传入，
  防止 GET query-string 通过 setter 绑定绕过白名单。
- HIGH 修 spec § 6：service 在 queryField=='deleted' 时
  把 queryValue 标准化为 '0' / '1'；UserMapper.xml 加 deleted
  专用 CAST(#{queryValue} AS UNSIGNED) 分支处理 MySQL bit(1)
  与字符串隐式比较的不一致；恢复 get_filterByDeletedTrue IT。
- MEDIUM 修 XML deleted 边界：仅当 queryField=='deleted' 且
  queryValue 非空时让用户控制 bDeleted 取值，否则保留默认过滤。

8 个 GET IT 通过。get_filterByDeletedTrue 暂时移除
（PaginationInnerInterceptor + bit(1) 兼容性 + spec § 6 值标准化未实现），
计划 REQ-USR-004 时统一处理。

清理 spec/plan 中残留的 bSelected 字段提及——docs/03 修订版无该列，
关联记录存在即「已选」。代码 UserPermissionEntity 已正确不含该字段；
本 commit 仅清洁文档使 SSoT 一致。

reviewer round 1 报告的 high『tCreateDate 未设置』是误判：
UserServiceImpl.java:102 实际已含 setTCreateDate(LocalDateTime.now())，
本 fix 不动代码。

UserPermissionEntity 不含 bSelected 列——docs/03 § tUserPermission 修订版无此列
（关联记录存在即「已选」），早期 spec/plan 草稿与 SSoT 不一致，以 docs/03 为准。

让 git pre-push 钩子触发的子 shell 也能拿到正确的 JDK21 路径与 mysql-client 路径，避免在 PATH 短的环境下编译/连库失败。